A critical maximum-severity security vulnerability in Cisco Catalyst SD-WAN Controller and Manager, identified as CVE-2026-20127, is actively being exploited in the wild. This flaw, carrying a CVSS score of 10.0, allows unauthenticated remote attackers to bypass security measures and gain administrative privileges on affected systems. The exploitation has been linked to malicious activities dating back to 2023, indicating a sophisticated and persistent threat actor.
The vulnerability allows attackers to obtain elevated privileges, essentially operating as a high-privileged, non-root user. Cisco stated that the issue stems from an improperly functioning peering authentication mechanism. Exploitation success means threat actors can utilize this non-root account to access NETCONF and manipulate network configurations within the SD-WAN fabric. The company is tracking the exploitation and subsequent post-compromise activities under the designation UAT-8616, describing the group as a “highly sophisticated cyber threat actor.”
Cisco Catalyst SD-WAN Vulnerability Under Active Exploitation
The critical flaw, CVE-2026-20127, discovered and reported by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC), affects several deployment types of Cisco Catalyst SD-WAN, regardless of specific device configurations. These include on-premises deployments, Cisco-hosted SD-WAN cloud solutions, and Cisco-managed cloud environments, including those within FedRAMP specifications. The potential for unauthorized access to sensitive network control mechanisms makes this a significant cybersecurity concern.
Cisco has outlined specific versions where the vulnerability has been addressed, urging customers to migrate to fixed releases. For instance, versions prior to 20.91 require an upgrade. Specific patches are available for version 20.9, with releases listed for February 27, 2026, and subsequent updates for versions 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, and 20.18. Cisco explicitly warned that systems exposed to the internet and with open ports are at elevated risk of compromise.
To aid in detection, Cisco recommends customers audit authentication logs, specifically the “/var/log/auth.log” file, for unusual entries such as “Accepted publickey for vmanage-admin” originating from unrecognized or unauthorized IP addresses. Comparing these IP addresses against the configured System IPs in the Cisco Catalyst SD-WAN Manager web interface is advised to identify potential breaches.
Information from the ASD-ACSC indicates that the threat actor, UAT-8616, has been compromising Cisco SD-WANs since 2023 using this zero-day exploit to achieve elevated access. The vulnerability enables the creation of a rogue peer within the network’s management or control plane. This rogue device then masquerades as a legitimate, albeit temporary, component, allowing the actor to perform trusted actions directly within the crucial planes of the SD-WAN infrastructure.
Following initial compromise of a public-facing application, the attackers have been observed leveraging the built-in update mechanism. This involves orchestrating a software version downgrade and then exploiting CVE-2022-20775, a separate high-severity privilege escalation bug in the Cisco SD-WAN CLI, to escalate to root user privileges. After achieving root access, they restore the software to its original version, further obscuring their presence.
Post-compromise activities noted by security researchers include the creation of local user accounts that mimic legitimate ones, the addition of SSH authorized keys for root access, and the modification of SD-WAN start-up scripts to customize the environment. Additionally, the threat actors have used both NETCONF on port 830 and SSH to communicate with and between Cisco SD-WAN appliances within the management plane. Efforts to cover their tracks have involved purging log files under “/var/log,” command history, and network connection history.
The ongoing targeting of network edge devices by sophisticated cyber threat actors, particularly for establishing persistent footholds in high-value organizations including critical infrastructure sectors, is a continuing trend, according to Cisco’s threat intelligence arm, Talos. This observation underscores the strategic importance of these network devices in modern IT infrastructures.
In response to these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates Federal Civilian Executive Branch (FCEB) agencies to implement necessary fixes within a strict 24-hour timeframe. CISA also recommends analyzing specific log files for indicators of version downgrade and unexpected reboot events, including those in “/var/volatile/log/vdebug” and “/var/log/tmplog/vdebug.”
CISA has issued an emergency directive, 26-03, titled “Mitigate Vulnerabilities in Cisco SD-WAN Systems.” This directive requires federal agencies to inventory all Cisco SD-WAN devices on their networks, apply relevant updates, and conduct thorough assessments for potential compromise. The directive outlines strict deadlines for reporting: agencies must provide an inventory of all in-scope SD-WAN systems by February 26, 2026, 11:59 p.m. ET. A more detailed inventory of products and actions taken is due by March 5, 2026, 11:59 p.m. ET. Finally, a comprehensive list of all hardening steps implemented to secure their environments must be submitted by March 26, 2026, 11:59 p.m. ET. The ongoing implementation of these measures and future threat intelligence will be critical in countering such advanced persistent threats.